Fraud by Lyonsdown

YOUR AWARD-WINNING SUPPLEMENT

$3.7tn!

IBM’s Paul Clandillon on the eye-watering global cost of fraud

Plus…

August 2015

I n s ide

Frank A bagnale ’s top five t for avoi ips ding fraud

FRAUD Catch them if you can

EXCLUSIVE INTERVIEW JOANNE FREARSON TALKS TO FRANK ABAGNALE, THE CON ARTIST TURNED FBI ADVISER WHOSE LIFE STORY BECAME A HOLLYWOOD BLOCKBUSTER DISTRIBUTED WITHIN THE SUNDAY TELEGRAPH, PRODUCED AND PUBLISHED BY LYONSDOWN WHICH TAKES SOLE RESPONSIBILITY FOR THE CONTENTS

Business Reporter · August 2015

Fraud

Opening shots René Carayol

HERE IS rarely a business bulletin nowadays that doesn’t mention a significant successful fraud. This is of course not the full picture, as most businesses and many consumers do not feel compelled to report their perceived lax controls. It’s now nearly always a sophisticated cyber-attack or the now more prosaic online fraud. This is not news, but it is certainly becoming far more widespread and consequently, far more concerning. We are all much more aware about opening that badly spelled email, or the one with the dodgy logo, but these phishing emails still work. Many are still encouraged to part with their personal details. Even simple online searches may lead to a website that only exists to harvest credit card details. The real concern is that while there is a huge focus on the problem of fraud, there is much less of a concerted drive on the solutions for this highly contagious extortion. The scale of the problem is frightening and growing, so much so that we are struggling to find out more information – many consumers are scared to take part in the necessary online research, as they have become paranoid about phishing. Far too many large businesses are petrified of causing a huge run on their stocks

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

THE ESSENTIALS

Publisher Bradley Scheffer | Editor Daniel Evans | Production Editor Dan Geary

Faceless fears: no one hears you scream online – it is far too distant and anonymous and reputation if they were to “fess up” about the scale and success of cyber-attacks on their data. There were 459 reported data breach incidents, in which potentially sensitive data about individuals was lost or stolen, in the first three months of this year, according to the Information Commissioner’s Office (ICO). This month the ICO warned that many more people may be vulnerable to identity theft following a data breach at Carphone Warehouse. Up to 2.4 million customers of the retailer had their personal details – potentially including names, addresses, bank details and dates of birth – stolen by a hacker. The credit card data of up to 90,000 customers may also have been accessed. The electronics giant Sony and the mobile operator Talk Talk have been targeted by hackers over the past 12 months. The supermarket chain Morrisons

also suffered a data breach last year. The number of reported data breaches is up 16 per cent to 1,814 in 2014, says the ICO. There really should not be any element of surprise anymore – walking into a high street store armed with a stolen credit card has become an extremely high-risk strategy. No one hears you scream online – it is far too distant and anonymous. The experienced scam artist may have hundreds of stolen card numbers to work with and will quickly work out which ones are still working or have yet to be reported as stolen. Some obvious ideas for stopping these scammers include increased criminal and civil sanctions, increased public education of consumers to help them avoid getting conned, the creation of an anti-scamming task force, and using solid payment systems as a secure checkpoint for scammers. However, because the ubiquity of scam artists prevents many from instant co-operation, it is vital we all become part of the solution. Suspicious behaviour must be reported to the authorities with as much detail as possible. Not all of these crooks will be identified or caught, but reticence only aids and abets the scammers. It is high time to convert retreat into advance, but nameless and faceless enemies work best when their worst deeds are treated with silence and a fear that your organisation will be singled out as unsafe, unsecure and lax with other people’s valuable and private data. Fraud is everyone’s problem and we are so much stronger together.

Business Reporter · August 2015

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Client manager Lillah Michli l.michli@lyonsdown.co.uk | Project manager Safia Butt | Contact us at info@lyonsdown.co.uk

Fraud

UK business facing annual £98.6billion fraud bill By Joanne Frearson UK BUSINESSES are losing an estimated £98.6billion annually to fraud, according to a report undertaken by the University of Portsmouth’s Centre for Counter Fraud Studies, and accountancy firm PKF Littlejohn. Professor Mark Button, co-author of The Financial Cost Of Fraud 2015 report and director of the Centre for Counter Fraud Studies, says: “The key questions for any organisation are how much does fraud cost us, and how well are we protected against it? “Unless you know the nature and scale of your fraud problem and whether you are properly protected against it, how can you act proportionately?” According to the report, once the extent of fraud losses are known within a company, they

can be treated like any other business cost – something to be reduced and minimised in the best interest of the financial health and stability of the organisation concerned. PKF Littlejohn has seen reductions in fraud in companies of up to 40 per cent within 12 months just through measuring the extent of it within a company and then putting in actions to prevent any further losses. Jim Gee, head of Forensic and Counter Fraud Services for PKF Littlejohn, says: “Beating fraud is every company’s business. If a business was paying 6 per cent over the odds for its energy and utilities, or rental properties, then management would be quick to act, or shareholders and investors would want to know why. Fraud is the last great unreduced business cost.

“In these current economic times, it will take a brave chief executive or director of finance of any organisation who turns a blind eye to these findings,” Gee continues. “More than two thirds of the exercises we reviewed showed fraud-related losses of more than 3 per cent of expenditure, with the 17-year average running at 5.6 per cent but with some areas of expenditure, such as

pr o c u r e me nt , r i si ng to anywhere between 7 and 18.7 per cent.” The research also found that fraud continued to increase after the recession. Gee says: “It may be that longe r-te r m s o c ia l a nd technological factors are an underlying cause of the growth of fraud, such as a greater i n d i v i du a l i s at i o n ( l e s s adherence to collective moral

and ethical ‘norms’ driven by increased isolation as we all retreat inside our digital dev ices); t he i nc rea sed complexity of processes and systems (it becoming easier to disguise fraud amid this complexity); fewer face-to-face transactions (fraudsters feeling

more distant from the victims of their dishonesty and thus less concerned about any response); more people under financial pressure during the financial crisis; and the increasing pace of change in business (with c o n t r ol s s t r u g g l i n g t o keep up).”

Business Reporter · August 2015

Fraud

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Find us online: business-reporter.co.uk | Join us on LinkedIn: Business Reporter UK

| Follow us on Twitter: @biznessreporter

Adoption and collaboration are key to defeating the cyber threat C

yber-crime is now one of the most serious threats to businesses and national economies. It is rare that a week goes by without a story breaking about a business that has suffered a cyber-attack. Already this summer in the US, Jeep Cherokee told customers to update their cars after hackers crashed a vehicle, having accessed on board software. While here in the UK, Carphone Warehouse announced that personal details of more than two million customers had been exposed. According to PwC, the professional services firm, cyber-security incidents reported in 2014 by large businesses increased globally by 48 per cent to 42.8million. Notably, out of almost 10,000 organisations polled by PwC worldwide, nearly one in ten reported breaches costing their business a total of more than $10million annually. The real figure could also be much higher, with the London Metropolitan Police recently estimating that large firms hide up to 88 per cent of fraud, for fear of worrying shareholders or losing competitive advantage. For financial services and the payments industry, the good news is that payments have never been safer, with global fraud levels around only six cents in every $100. Nevertheless, the biggest bank raid in history – uncovered earlier this year – was not staged by balaclava-clad crooks wielding sawn-off shotguns. It was a group of hackers that managed to steal £650million from more than 100 financial institutions around the world with the click of a mouse. Resultant attacks not only carry a financial cost but a reputational one too, as stories are amplified in an unyielding 24/7 news cycle – made all the more damaging when trust in the banking sector has fallen in recent years. In addition, the growth in electronic payments, coupled with the digital explosion of the internet of things (IoT), turning phones and watches into payment tools that change how and where we can pay, has created a fertile ground for criminals. Research indicates that the use of mobile wallets will increase exponentially in the coming years, and the widespread use of mobile banking apps will mean mobile devices will be increasingly targeted by skilled attackers. The technologies to counter these threats do exist, but businesses need to act quickly to adopt them, and they need to understand that an attack could happen to them too. This is the changing face of crime: targets who were previously not on the radars of criminals now are because of the geographical ease with which crimes can be committed against your business. Yes, payments have never been safer, but criminals have never been smarter, and the noise around security never louder. “There is no silver bullet to fighting fraud. Businesses require a multi-layered approach to safety and security in order to effectively manage the rapid change in consumer behaviour brought about by rapidly advancing technology,” says Ajay Bhalla (right), president of enterprise security solutions at MasterCard. “Such an approach allows for agility in order to detect and prevent potential attacks quickly.” At MasterCard we are taking the lead in building the next generation of tools and services capable of handling the evolution in cyber-threats. With our Safety Net tool we protect against the impact of cyber-hacking

of banks and processors, using our global network to identify potential attacks before they start, or in some cases before the bank or processor is even aware. Safety Net identifies fraud in real time and can decline transactions before harmful exposure takes place. We are also working to transform complex fraud solutions into simple products for banks and retailers. We are working on new ways to authenticate transactions, shifting towards new forms of biometric identification such as fingerprint, facial and retina recognition. This month we launched a consumer experience in the Netherlands, enabling online shoppers to complete payments using face and fingerprint biometrics for the first time. Businesses also need to collaborate more with each other and law enforcement agencies to tackle the cyber-crime threat. In this new world, every business has a role to play in sharing its insights and learning in an appropriate way, in order to win the fight against cyber-criminals. In addition, large businesses cannot neglect the value of encouraging collaboration internally in order to drive awareness on the importance of security among employees. As the number of devices used for business across multiple locations increase, businesses

need to constantly ensure they are raising awareness of the threat of cyber-crime, and treat education of the issue as an iterative rather than a one-off process. The payments industry as a whole, through the implementation of global standards, also has a responsibility to enhance the overall payment experience without making compromises on safety. That is why safety and security has always been MasterCard’s number one priority as we work to ensure everyone is protected everywhere and every time they pay. Digital advancement has created both seismic opportunity and complexity in equal measure. To capitalise on the opportunity that the internet of things will bring, businesses need to adopt a mind-set that sees security innovations as vital rather than optional. To really stay one step ahead, we need to work in partnership and help stimulate this change in mindset. There will be more change in the payment landscape in the next five years than there has been in the past 50 and innovations in security must continue to evolve quicker than the ingenuity of criminals. For the sake of their bottom line, businesses cannot afford to let their guard down, today or tomorrow. 020 7557 5000 www.mastercard.com

Business Reporter · August 2015

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Fraud

Like us: www.facebook.com/biznessreporter | Contact us at info@lyonsdown.co.uk

UK internal fraud rises by 18 per cent, claims survey INTERNAL FRAUDS have risen 18 per cent in 2014 compared with the previous year according to UK’s fraud prevention service CIFAS annual Employee Fraudscape report. Simon Dukes (right), CEO of CIFAS, says: “Fraud is not just about remote attacks – some of the most dangerous threats can come from within. Internal fraud costs huge amounts in money, reputation and employee morale. Customers are also affected when their personal data is stolen by an insider.

By Joanne Frearson

ORRUPTION increases the cost of doing global business on average 10 per cent per year, with bribery estimated to be a $1trillion industry, according to the World Bank. Recent high profile cases such as the bribery allegations against FIFA only stress how widespread the problem has become. In May 2015, nine FIFA officials and five corporate executives were indicted after an FBI investigation to face charges of racketeering, wire fraud and money laundering conspiracies in international soccer. The alleged FIFA corruption took place over a 24-year period. It is alleged US and South American sports marketing executives were paid well over $150million in bribes and kickbacks to obtain lucrative media and marketing rights to international soccer tournaments. Richard Weber, chief of the IRS Criminal Investigation Division, noted at the time: “When leaders in an organisation resort to cheating the very members that they are supposed to represent, they must be held accountable. Corruption, tax evasion, and money laundering are certainly not the cornerstones of any successful business.” Research reveals cases such as FIFA’s are hardly isolated incidents. Analysis by the OECD late last year confirmed that most international bribes paid by large companies are usually done with the knowledge of senior management. The OECD looked at 427 cases of foreign bribery and found that, in almost half of the cases, management-level employees paid or authorised the bribe, while the company CEO was involved in 12 per cent of cases. Bribes were generally paid to win contracts from state-owned or controlled companies in advanced economies, rather than in the developing world, and most bribe payers and takers were from wealthy countries. The majority of bribes, 57 per cent, were paid to obtain public procurement contracts, while 12 per cent were for clearance of customs procedures. On average, bribes equaled 10.9 per cent of the total transaction value and 34.5 per cent of the profits. Angel Gurría, secretary-general at the OECD, says: “Corruption undermines growth and development. The corrupt must be brought to justice. The prevention of business crime should be at the centre of corporate governance. At the same time, public procurement needs to become synonymous with integrity, transparency and accountability. Bribery cannot be blamed on rogue employees. In over half the cases studied, senior management were involved in corrupt behaviour or were at least aware of it. Companies can no longer play the victim.” The OECD also found intermediaries were

“CIFAS members are taking action to report and fight fraud, supporting the honest majority. But it is concerning that many other UK organisations are not, enabling fraudsters to move around from job to job, free to commit fraud again. “We urge all organisations to do more – sharing confirmed fraud data remains one of the simplest, most cost-effective ways to prevent the actions of a small minority from causing huge damage.” Research carried out by the University of

Portsmouth on behalf of CIFAS discovered that the financial impact of an internal fraud can be several times more than the sum lost to the fraudster in the first place. Investigations into fraud can be costly and lengthy, especially if the fraud is complex and the process becomes drawn out. There are also indirect costs – regulators may impose penalties on the employer, and there could be reputational as well as financial. And ultimately, if companies do not protect their consumers’ data, it is likely they will take their business elsewhere.

Bribery charges brought by the FBI led to the arrests of nine FIFA officials and the resignation of FIFA president Sepp Blatter (pictured) earlier this year

Endemic bribery culture raising cost of business involved in three out of four foreign bribery cases. These intermediaries were agents, such as local sales and marketing agents, distributors and brokers, in 41 per cent of cases. Another 35 per cent of intermediaries were corporate vehicles, such as subsidiary companies, companies located in offshore financial centres or tax havens, or companies established under the beneficial ownership of the public official who received the bribes. The OECD believes these figures could be just the tip of the iceberg and potentially be much higher given the complexity and concealed nature of corrupt transactions. To combat bribery, the OECD is calling for an oversight of corporate compliance and due diligence programmes, and for governments to strengthen sanctions, make settlements public and reinforce the protection of whistleblowers.

In countries where corruption is rife, problems with security and terrorism are also rampant. The 2014 Corruption Perceptions Index, produced by Transparency International, showed more than two thirds of countries scored below 50 on a scale from 0 (perceived to be highly corrupt) to 100 (perceived to be very clean). North Korea and Somalia were in the last spot, scoring just eight, while Denmark came out top, with a score of 92. Transparency International is calling on countries to create public registers that would make clear who really controls, or is the beneficial owner, of every company. Cobus de Swardt, managing director of Transparency International, says: “None of us would fly on planes that do not register passengers, yet we allow secret companies to conceal illegal activity. Public registers that show who really owns a company would make it harder for the corrupt

to take off with the spoils of their abuse of power.” One country that is taking steps to set up a registry is the UK. It will be the first major country to establish a publicly accessible central registry showing who really owns and controls all UK companies. Prime Minister David Cameron says: “Corruption is one of the greatest enemies of progress in our time. Corruption runs completely counter to our values. It rewards those who don’t play by the rules. “Tackling corruption isn’t just morally right. It’s economically right too. Companies that become complicit in paying bribes find that they face higher costs, then embark on contracts that may never be honoured, they operate in a false environment that can change suddenly and dramatically, and they incur reputational damage for being complicit in a corrupt system.”

Business Reporter · August 2015

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Fraud

Find us online: business-reporter.co.uk | Join us on LinkedIn: Business Reporter UK

| Follow us on Twitter: @biznessreporter

Achieving the right balance

s it possible for an online business to combine rigorous fraud screening with their payment solution without making the overall experience so complex it causes consumer frustration and basket abandonment? Merchants can be reluctant to adopt fraud services because they are perceived as constraining business growth, but it is possible to increase profitability and enhance brand value by implementing a trusted and effective solution. Payment and fraud services should be designed hand-in-glove to enhance a merchant’s brand, not detract from it, and if implemented correctly can actually increase online revenues. Merchants today recognise the importance of an effective online presence, and are prepared to invest time and money creating a website that reflects their values. It therefore follows that these values should flow through the entire customer journey, including the payment process and fraud checks. Trustpay Global’s intuitive online and mobile solution, pinPay™, has managed to achieve the right balance. Patented two-factor step-up authentication for highervalue or suspect transactions is combined with a unique and intuitive express checkout payments experience, providing the maximum protection to merchants and consumers in more than 22 countries. pinPay™ works seamlessly with a merchant’s website and ensures that consumers’ payment and personal data are encrypted and stored in highly secure data vaults without being detrimental to the end-to-end payments process. Combatting fraud and increasing revenues are not mutually exclusive. With the right partner it is possible to reduce fraud and increase revenues and profitability. info@trustpayglobal.com www.trustpayglobal.com

As modern fraudsters get bolder and more sophisticated, Joanne Frearson talks to IBM’s Paul Clandillon about how to take them on

HE A MOUNT being lost by corporations on fraud now totals approximately $3.7trillion of global GDP. Fraudsters have become more sophisticated. They are no longer looking at small opportunistic crimes, but are working together to hoodwink big firms out of millions. Paul Clandillon, European practice leader of fraud and financial crime solutions at IBM Software Group, says: “The big step change we see now is gangs of criminals emerging, which are starting to carry out much more complex and highly organised attacks. “The problem with these more complex collusive attacks is that you may be attacked at multiple points across an organisation simultaneously.” According to Clandillon, if a company is only using traditional approaches to defend itself against these attacks, it is leaving itself vulnerable to fraudulent activity. “On average, fraud carried out by an individual tends to be about $80,000, but fraud carried out by four or more parties tends to be over $500,000,” he says. “The Association of Chartered Fraud Examiners, in its 2014 annual survey, asked all individual certified fraud examiners to make an estimate of what they believed fraud losses were in their industries.

“Their estimate was 5 per cent of turnover. If you extrapolate 5 per cent of turnover as a proportion of 5 per cent of global GDP, you get $3.7trillion. That is a very big number and gives you a very good order of magnitude of how big the problem is. It is the equivalent of 260 Olympic Games. If you want to run an Olympics every day all you do is eliminate fraud.” Criminals are not just working in one gang, but in several, with each group taking a different cut of the spoils. “Fraudsters are getting more organised,” Clandillon says. “We have seen this in a couple of recent cases, where almost an underground industry has emerged, in which different groups of criminals supply different services as part of an overall fraud. “There is a classic case which involved a Middle Eastern bank. The bank suffered a debit card fraud and lost $47million over a weekend. “Essentially what happened was that one group of fraudsters suborned an employee to get access to private card data. They passed this to another group of fraudsters, who then created cloned cards. The third group took the cloned cards and used the cards

to withdraw money from ATMs. This money was then passed on to a fourth group, who bought high-value goods for resale, thereby returning clean money to the overall perpetrators. There were four different groups playing four different distinct roles there. It was highly organised.” As the $3.7trillion figure suggests, this type of crime is not isolated, and is happening frequently. Many companies lack the knowledge to be able to deal with the fraudsters effectively. “Awareness has been a problem to date,” Clandillon says. “Two thirds of companies still have no analytical capabilities to detect potentially suspicious transactions in their business. We know that companies who put in place fraud detection capabilities suffer 50 per cent less losses.” Companies need to take proactive steps to combat fraud, says Clandillon. He explains that one of the first things management should do to tackle fraudsters is to make sure there is an awareness of the problem across the organisation as a whole. “There are many different types of frauds which can be perpetrated against many different parts of an organisation,” he explains. “You have to be able to look at fraud across all of your organisations simultaneously. If you cannot do that, it becomes very difficult to spot collusive networks in operations, and relationships between parties. “The challenge of taking on fraud needs to be recognised as an enterprise-wide IBM fraud requirement. It needs to be expert Paul managed at an enterprise Clandillon

Business Reporter · August 2015

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Fraud

Like us: www.facebook.com/biznessreporter | Contact us at info@lyonsdown.co.uk

The key to avoiding high value fraud Above: The proceeds from global fraud in 2015 are enough to pay for 260 Olympic Games; below: credit card cloning is one “growth sector” within the fraud industry

level. It needs to be supported by a fraud enterprise investigation team.” Clandillon believes that in order for a company to harden itself against fraudster attacks, it should look at it like the layers of an onion. The outer layer involves establishing a set of defences preventing people gaining unauthorised access through IT assets, while the inside layer is about forming a set of processes to combat vulnerable areas. “The next thing behind that is a set of audit capabilities,” he says. “A set of risk-assessment capabilities and practices which ensure processes are being executed properly. The last layer is a set of tools and technologies which allow firms to identify potentially suspicious behaviour wherever it might occur in an organisation.” Alongside this, a company should also have a dedicated anti-fraud unit, which understands the business side of things as well as the technological. “The anti-fraud unit will have a number of roles,” says Clandillon. “They will create the rules and analytical models, identify the patterns that will tell us it is essentially fraud, investigate the fraud and also discover new patterns of which they have previously been unaware.” According to Clandillon, historical data should also be used to look for where fraud has occurred. Once fraud is discovered, rules and analytics should be updated. He also believes unstructured data should be examined as well as structured. He says: “There is a vast wealth of information out there, both internally in companies and externally on the internet. The huge amount of unstructured data out there on the web really constitutes an enormous source of intelligence for

“The challenge of taking on fraud needs to be recognised as an enterprise-wide requirement” – Paul Clandillon

investigators. It makes them much more productive if they can tap into it.” Clandillon explains that if you look at internet references on a person, for example, it might reveal if they had county court judgements against them. Emerging technologies are also giving companies new hope in the fight against fraud. Clandillon says: “The most obvious one is big data. Analytical engines now can consume vast amounts of data, in historical and real time. This can find far more interesting patterns than we were able to before. “Other styles of analytics are emerging, such as entity analytics, to help fight fraud. When you look at a vast database of information, entity analytics can tell you who knows who and who does business with who. It will allow you to display it in a way that makes it really easy to find fraud.”

hile recent attention has focused on micro-payments and sub-£20 contactless transactions, there remains an exposure for higher value transactions, consent and contracting. Biometric technologies are now available, which can substantially reduce fraud in these cases. Whether online, in-store or face-toface, a handwritten signature recognised by the smartest biometric software can uniquely identify individuals in real time. These systems are now being used across Europe by wealth managers for high net-worth individuals, retail banks for mid-market services and insurers for contracting, transfers and claims. Organisations are challenged as technological fragmentation poses new uncertainties. Proving that a fingerprint was not forged is fraught with difficulties when household materials can scam the latest systems only 40 minutes after gaining a sample print from a glass. The legal recognition of signatures and seals predates Magna Carta. This complex heritage comprising evidential weight interpretations for identity verification forms a robust baseline. Technology

substitutes the paper/ink for digital, where the combination of handwriting speed, pressure, angle and X-Y axis deposition, mapped at 80-230 times per second creates a “biometric signature” which is unique to the individual. It is almost impossible to forge and, with the right software for capture, recognition and sealing remains nonrefutable for decades. Indeed, the technology is so reliable that in Italy the legal burden of proof is now reversed. Fraud can be stopped from entering the system with real-time recognition of users anytime, anywhere. Whether your preferred device is any smartphone, tablet or desktop, there is a user interface available. For regulated processes, where individual consent and/or validation are vital, technologies such as SIGNificant Signature Solutions from Icon UK can deliver a huge impact. Not only can signature fraud be eliminated, but process times can be dramatically reduced, and costs by up to 90 per cent. Moreover, enhanced customer experience typically generates additional loyalty, revenues and profits. Chris Jones is CEO at Icon info@icon-uk.net http://www.icon-uk.net/ electronic_signature.html

Business Reporter · August 2015

Fraud

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Find us online: business-reporter.co.uk | Join us on LinkedIn: Business Reporter UK

| Follow us on Twitter: @biznessreporter

The big interview Frank Abagnale EXCLUSIVE Joanne Frearson

ONG GONE are the days where Frank Abagnale, former con artist, walked into a bank impersonating a Pan-Am pilot trying to cash in bad cheques. The man whose life story was the inspiration behind the Hollywood movie Catch Me If You Can, directed by Steven Spielberg and starring Leonardo DiCaprio and Tom Hanks, is now a changed man. Abagnale no longer makes his living impersonating people for his own gain, but instead uses his knowledge about fraudulent behaviour to help others. For more than 40 years he has been advising the FBI as well as helping companies such as Experian, LexisNexis and Intuit in their fraud prevention programmes. “When I was a kid, everything I did – none of it was premeditated,” Abagnale tells Business Reporter over the phone from Washington, DC. “I ran away from home and started writing some cheques. I would go into a bank and would be trying to convince the teller to cash a cheque. The teller would say, sir, you do not have a bank account here, we cannot cash a cheque for you. “Then one day I’m walking down the street and I see this airline crew coming out of a hotel. I think to myself, if I could get this uniform and walk into a bank as an airline pilot and say I am here on a layover, I ran a little low on money, could I cash a cheque, it would give me a lot more power in getting a cheque cashed. “I never thought about getting on airplanes, riding around for free and going to hotels – just, how could I get this uniform to cash cheques? So then there was the whole phone call to Pan-Am, getting them to give me the information on where to get the uniform. “But, when I got the uniform, there were no wings and no hat emblem, so that was the next thing to overcome – that and the ID card. I made some phone calls and found out you had to go out to Hangar 14 at JFK airport, to what they call the Stores Department. “I went out there and put a raincoat over my shoulder and put my hat under my armpit and walked by the security guard. All they saw was the uniform from that angle. When I got into the Stores Department, I told them I lost my wings and hat emblem and got a new pair, and that’s how I got it.” By the time he was 21, Abagnale had cashed $2.5million worth of bad cheques, flown around the world by impersonating a Pan-Am pilot, and had even worked in a hospital for a short period of time after masquerading as a doctor. In 1969 Abagnale was arrested by the French police, and served time in the French, Swedish and US prison systems. He was given 12 years, but was released after five on the condition that he would help the US government, without being paid, by teaching and assisting federal law enforcement agencies. The former con artist is now working on the right side of the law. Companies use his knowledge of how a fraudster might think to understand how to build technologies to stop them getting inside their systems.

If you make it easy for someone to steal from you, chances are they will “The criminal mind and the way the criminal thinks have pretty much stayed the same,” Abagnale says. “The truth is the majority of people in the world are honest. They do not have a deceptive mind. This is why they fall victim to a lot of things. They are extremely well educated business people. “I have that mind when I look at things – right away, I look at things from out of the box. I try to figure out what is really behind this question or this email or this letter or this phone call. That ability has come from my past.” He has spent 10 years developing a technology called the 41st Parameter with former American Express Worldwide fraud director Ori Eisen, which enables banks and companies to determine who they are doing business with on the other end of the computer. Abagnale’s passion is now

The CV: Frank Ab agnale

helping to educate people and companies about fraud. He says: “If you explain to people what is going on, • Frank Abagnale has worked with th e FBI for more it opens their eyes. This is why I write than four decades and more than 14,0 books, this is why I go out and lecture. 00 financial institutions, corpor ations and law enfo The best thing I can do is simply rcement agencies use his fra ud prevention prog educate people.” rammes. According to Abagnale, as long as • He lectures exte nsively in the field offices of the Fede you have information on someone stored Bureau of Investiga ral tion and at the FBI Academy, and somewhere, someone is going to find it. is a faculty membe r at the National Ad He believes that over the next five to 10 vocacy Center (NAC), operated by the Department of years, we are going to see the whole Justice. internet become much more dangerous. • Every year he als o conducts more th an 100 domestic He says: “Right now, the threat is and international se minars for his clien ts, to educate financial harm, but over the next years attendees on how to reduce their expo sure to fraud, what we are going to see is the ability to forgery and embe zzlement. shut off someone’s pacemaker from thousands of miles away. We can actually • His book Catch M e If You Can was m do that now, but you have to be within 35 ade into a movie of the same name, as well as a feet of the victim, and in about five years Broadway musical which open ed in April 2011 an you will be able to do that from much further. d won a Tony award. Oth er books he has w “We can already now control cars ritten include Stealing Yo ur Life, The Art Of Th remotely. If we are chasing after a car and e Steal, and The Real U Gu ide To Identity Thef we get close enough to it, we can shut the t.

Business Reporter · August 2015

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Fraud

Like us: www.facebook.com/biznessreporter | Contact us at info@lyonsdown.co.uk

What Princess Leia can teach us about fraud control Frank Abagnale’s top five tips for avoiding fraud A respected authority on the subjects of forgery, embezzlement and secure documents, here are Frank’s tips for protecting yourself against fraud… 1. Shred personal and important information with a security micro-cut shredder. If you use a straight or crisscross shredder, there is technology out there that can be used to put the document back together. A security micro-cut shredder is the only device that will literally destroy documents. 2. Use a credit monitoring service. These services monitor your credit for you – if someone attempts to get credit in your name, or apply for a job or bank account, it will alert you in real time. 3. Credit cards should be used over debit cards, because if someone charges up your card your liability is zero. 4. Do not include your date of birth or where you were born on social media accounts, as that is just asking someone to steal your identity. 5. Be wary of who you hand cheques to – it will have your name and address, phone number, your bank’s name and address, your account number and signature.

motor off. We can kill the power steering. We can kill the brakes. We can lock the door, so the criminal cannot get out. Within the next five to 10 years you will see criminals using that, if they want to kill someone going down the M4. “Then, of course, there is terrorism. It will be used to attack electrical grids and banking facilities and things like that. We’re going to see the internet become a lot more dangerous. “Someone asked me the other day, how do we 100 per cent secure our company from being hit by a hacker? My answer was, there is only one way to be able to do that 100 per cent, and that would be to get offline, to go back to the old way and take all the information offline. “The internet is not 100 per cent secure, and it is amazing that not only do we use this unsecure environment to move money all over the world, but that we also use it for our defence. “Fraud really never changes, just the means by which it is perpetrated. All of the things

Below: Leonardo DiCaprio as Abagnale in Steven Spielberg’s 2002 movie Catch Me If You Can

that go on today have gone on for years and years. The internet has just made it accessible to millions of people to be victimised all over the world. “As I said to this individual, if they are hacking into aircraft carriers, bombers going across the ocean, navy destroyers and the Pentagon, you can easily imagine the damage they would do to some small business or company sitting somewhere. Unfortunately if you make it easy for someone to steal from you the chances are someone will, so don’t make it easy. You have to be a little smarter today than you did 30 years ago.” Businesses and individuals certainly need to be more aware how to protect themselves against fraud these days, and Abagnale believes prevention is the only viable course of action against fraud. A classic poacher-turnedgamekeeper, Abagnale changed his life and is now a respected figure in the fraud industry, helping the FBI and businesses fight this crime. And by education and thinking outside the box, businesses and individuals can learn to protect themselves against fraud.

EXPERT INSIGHT

Simon Ashby

CCORDING to the Association of Certified Fraud Examiners (ACFE), occupational fraud (asset theft, corruption and financial mis-statements) costs an average business 5 per cent of its revenues every year, with global fraud losses totalling $3.7trillion. That is a startling amount of money, and shows how significant fraud losses are to businesses, as well as their shareholders and customers – who are likely to suffer lower dividends and higher prices as a result. Why employees commit fraud is well understood – the so-called fraud triangle shows that fraud is typically a combination of motive (usually greed), opportunity (e.g. weak internal controls) and rationalisation (e.g. revenge, or the misplaced belief that fraud is a victimless crime). What is far more difficult is detecting and preventing individual fraud events. Knowing why an employee might become a fraudster is one thing – finding ways to actually identify those committing fraud or preventing others from engaging in fraud in the first place is quite another. The ACFE estimates that it takes on average 18 months to detect a fraud case, which suggests that there is plenty of room for improvement. So what is the secret to effective fraud detection and prevention in organisations? If I had the answer to that I would already own the super yacht and Cap d’Antibes mansion I dream about (and I am far too honest ever to consider acquiring them via non-legitimate means). However, there are a few key factors to focus on. The first is your internal controls – proper controls over budgets, expenses, procurement, and so on, such as segregation of duties, audit checks and financial reconciliations will help to prevent fraud. However, as Princess Leia once explained in the original Star Wars: “The more you tighten your grip, the more star systems will slip through your fingers,” meaning that ever-tighter and often inflexible controls can often prove

ineffective, as people quickly learn how to circumvent them. Another is fraud monitoring and detection using appropriate indicators (some banks used to require that staff only have accounts with them, so that they could monitor account transactions) and whistleblowing procedures. But having such monitoring and detection controls does not guarantee they will be implemented effectively: the head of financial crime in one organisation I worked for once stated, with misplaced pride, that the whistleblowing hotline never rang, but that same organisation suffered a major governance and misconduct scandal only a few years later (long after I left, if you ask). So what does work best? In my view the best weapons are training and culture. What businesses need are loyal employees who understand that occupational fraud is far from victimless and is an assault on their fellow employees, shareholders and customers. Achieving these outcomes is not easy, especially when many businesses are still looking at redundancies and pay freezes to make ends meet. However, there are organisations that can help – such as Leicester University, which offers an anti-fraud and corruption training course, and Cifas, the fraud prevention service, with its annual employee fraud scape. It is also possible to learn from successful organisations like the John Lewis Partnership, which typically suffers from less occupational fraud than other organisations – attributed to its profit-sharing partnership structure and high levels of employee engagement. After all, if you own a share of your organisation, you are only stealing from yourself. So in combatting fraud do not forget the softer controls like culture and training. If you can get these right, you should see significant reductions in revenue losses from fraud – and if you do, remember who gave you that advice. I still want to earn that yacht! Dr Simon Ashby is Associate Professor of Financial Services at Plymouth Business School

Business Reporter · August 2015

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Fraud

Find us online: business-reporter.co.uk | Join us on LinkedIn: Business Reporter UK

| Follow us on Twitter: @biznessreporter

Working smarter, not harder, is the key to beating the mobile fraudsters

ith an average total cost per data breach in the UK reaching almost £2.5million in 2015 , the stakes are extremely high for e-commerce businesses.1 Data security is an area of increasing concern and a breach in privacy can break even the most loyal customers’ trust. Fraudsters are more determined and sophisticated than ever, so no e-commerce business can afford to be complacent about fraud. The emergence of new channels and

technologies gives fraudsters an increasing number of methods with which to attack retailers. Some will attempt to commit fraud through mobile channels, where fraud prevention may be weaker and less sophisticated. Others will try to use a number of channels together to evade fraud management tools. The need to analyse levels of fraud by each online channel within a single, integrated fraud prevention system is paramount if merchants of all sizes want to avoid multichannel fraud. More than half of retailers consider it “very important” to detect mobile transactions, yet only 16 per cent are able to identify the type of mobile device used.2 One of the most popular methods for identifying the physical location of an e-commerce shopper is internet protocol (IP) geolocation, which can detect if m-commerce payments are made from home or another Wi-Fi connection from the IP address. However, as soon as the mobile

device is disconnected from a fixed location it becomes impossible to track using an IP address because mobile operators use a series of different web addresses for the same device.

This means that e-tailers may need to adopt different tools to track and prevent m-commerce fraud. ID authentication (also known as device fingerprinting or device identification) is one such tool.

Adopting a customised, flexible and scalable approach to fraud management, that helps address security concerns while also meeting the demands of a growing business, is essential. While some believe that exposure to international fraud is typically higher than domestic fraud, this should not be a deterrent from entering new markets. By working smarter, not harder, businesses can keep costly manual fraud reviews to a minimum using more accurate, automated screening. Using payment data to enable the right fraud prevention strategy may allow retailers to boost revenues by turning more orders into sales, increase profitability from international markets and protect brand reputation. At Chase Paymentech we help more than 260,000 merchants globally with bespoke payment

processing, fraud and data security solutions. Our technology solutions offer a streamlined and efficient way to manage your payment processing and acquiring requirements, while enhancing your financial reporting and business intelligence. 0845 399 1120 www.chasepaymentech.co.uk 1. Source: 2015 Cost of Data Breach Study: United Kingdom, Ponemon Institute LLC 2. Source: Mobile Payments & Fraud Survey (2014)

Disclaimer: Chase Paymentech Europe Limited, trading as Chase Paymentech, is a subsidiary of JPMorgan Chase Bank, N.A. (JPMC) and is regulated by the Central Bank of Ireland. The information herein or any document attached hereto does not take into account individual client circumstances, objectives or needs and is not intended as a recommendation of a particular product or strategy to particular clients and any recipient of this document shall make its own independent decision. This document and the information provided herein may not be copied, published, or used, in whole or in part, for any purpose other than expressly authorised by Chase Paymentech Europe Limited. © 2015, Chase Paymentech Europe Limited. All rights reserved.

Don’t let fraud add to your post-holiday blues

ust back from holiday? Still feeling relaxed? Well, you shouldn’t be. While you’ve been off catching a few rays, the fraudsters have been busy back at work. Fraud can be most prevalent during the holiday season, with key employees often away at the same time, buildings half empty with a skeleton staff, systems and documents unchecked and controls sidestepped. Every UK business is a target, whatever its size or nature – and for smaller companies, the situation can be made even worse by the decision to have a “summer shutdown”. So how can you check if you’ve been a victim of the canny individual who was quick to spot a chink in your security armour? • Review bank statements for unusual, unexpected or large transactions – and ask finance staff if there were any requests for urgent payments, especially those using unusual methods, such as manual cheques • Check the sales ledger to see if outstanding debts have been paid on time – if not, cheque payments may have been diverted, either by staff or in transit

• Review systems for any transactions posted out of office hours – an employee is more likely to commit nefarious acts when there is no one looking over their shoulder • Ask security if anyone accessed the building at unusual times – a fraudster could try to cover their tracks by posting transactions when the office is empty • Any unexplained or extended absence should be followed up immediately. That tummy bug could be an excuse for the fraudster to distance themselves from the scene of the crime. Of course, prevention is better than cure, so taking a few precautionary measures can ensure the workplace is not left exposed to the machinations of fraudsters in the future. • During the holiday period, some organisations employ temporary staff in key areas such as security or IT, so scrutiny and screening are key. Where possible, at least one permanent member of staff should be present, and references and details for temporary employees must be examined thoroughly and verified through independent sources.

• To prevent the opportunistic fraudster from exploiting empty offices and potentially unchecked system access, employers should ensure any IT and security devices have sufficient data storage to last the entire shutdown period. Additionally, check back-up tapes of critical IT systems and key documents are secured, preferably with duplicate copies maintained off-site. Consider limiting access rights to key computer systems temporarily to essential personnel, and disable all remote access facilities to IT systems. And if fraud does occur, employers should familiarise themselves with the company’s fraud response plan to be prepared for the worst. If no plan exists draw one up, preferably before the holiday period. Bosses need to

produce a comprehensive list of contacts for all senior personnel, as well as key business advisers and other parties such as accountants, lawyers, the police, insurers and bankers, so they can be contacted quickly if necessary. Finding out you’ve been a victim to fraud can see that holiday feeling fade as quickly as your tan. But applying simple measures before you go, followed by a few rigorous checks once you return, can help protect your organisation and make it harder for those fraudsters to strike. Andrew Durant is senior managing director, forensic accounting and advisory services, at FTI Consulting +44 20 3727 1144 andrew.durant@fticonsulting.com The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting LLP, its management, its subsidiaries, its affiliates, or its other professionals, members or employees.

Business Reporter · August 2015

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Fraud

Like us: www.facebook.com/biznessreporter | Contact us at info@lyonsdown.co.uk

Inspector Dogberry Fringe benefits BEING a big theatre and comedy buff, the Inspector naturally loves toattend

Society, and a case filed with Police Scotland. Kath Mainland, chief executive

support new talent, such as the Edinburgh

FraudBytes http://fraudbytes.blogspot.co.uk

“The disappointment at having identified the crime is certainly alleviated by our success in recovering the funds swiftly

Society, says: “We have been a

and being able to move on.

fraud campaign conducted

events that

By Sara Tuxworth, web assistant

of The Edinburgh Festival Fringe victim of a sophisticated

“The measures required to reinforce our financial processes

by one individual in a position

have already been taken, although

of responsibility over an extended

I am satisfied that not much more

period of time.

could have been done to prevent us

“The amount of money involved in any given year was, on average,

falling victim to such a deliberate and sophisticated crime.”

Fringe Festival. He was

less than 1 per cent of the Fringe

therefore shocked

Society’s annual turnover and

Society asked independent

to hear the Fringe

not operationally impactful.

forensic accountants to review its

The Edinburgh Festival Fringe

Society was recently

We do take matters such as this

processes, to ensure all lost funds

the victim of a

very seriously. Despite already

were identified and recovered.

sophisticated fraud,

recovering the funds, I wanted to

This project has now

but also glad to

be open about the situation and

been completed and the

know the situation has

offer the opportunity to members

recommendations implemented.

now been resolved.

to discuss this at our annual

Ticket revenue and restricted

general meeting in August.”

public funds had already been ring-

Around £220,000 was stolen by one

Under police advice, The

fenced and were not involved.

This blog offers interesting insights on recent fraud scandals from the controversy around Lance Armstrong’s doping to looking into where charity donations end up. FraudBytes looks at a wide range of fraud topics, from academia to sports and medicine. You can also follow them on Twitter at @FraudBytes.

FRAUDinfo A blog about bank phishing scams www.akwatts.co.uk Andy Watts’ blog does exactly what it says on the tin, with easygoing posts based on Watts’ own experience with fraudulent emails and phone calls. With more and more of these circulating, this blog is a great place to go if you want to understand what you’re dealing with.

complex financial

individual involved, nor disclose

The Fraud Guy

disbursements

specific information due to the

over an eight-

ongoing police investigation.

https://thefraudguy. wordpress.com

Mainland adds: “This matter

monies have

has had no impact on the Fringe

already been

itself, and we are looking forward

identified and

to what will be a fantastic

recovered from

celebration of culture and

no longer works for the

entertainment from all around the world.

DashAccess (Free – iOS)

DashAccess provides the latest news on scams and fraudulent activity as well as tips on fraud prevention – all while bumping up the security of your device.

Scam Detector (Free – Android)

This app reveals more than 650 scams across the world. The search feature lets you know what scams to look out for if you are travelling to another country.

Mobile fraud is increasing – and merchants still aren’t ready!

Not so much an independent blog than a website that collates all the recent news on fraud. The articles featured are uploaded daily and present a concise place for all your fraud news in one place – perfect for researching the current climate in financial crime. Follow the updates here @TheACFE.

Fringe Society cannot name the

the perpetrator, who

obile commerce is booming in the UK. Figures issued earlier this year predict UK shoppers will spend £14.85bn in 2015, up 77.8 per cent from 2014. This boom is good for merchants and consumers. Unfortunately, it is also good for fraudsters. Criminals are opportunistic. The surge in mobile commerce has given fraudsters more chances to defraud consumers, merchants and banks alike. The Kount Mobile Payments and Fraud Survey is the biggest of its kind in the world. Some 2,000 merchants, service providers, card issuers, acquirers and card associations all took part in the 2015 survey, sharing their

http://fraudinfoblog. squarespace.com

employee using

year period. The

experiences of risk management, mobile and payments. The survey revealed the concerning news that merchant understanding of fraud is lagging behind mobile fraud growth. Despite the growth of mobile commerce, and there being more tools available to fight related fraud, most merchants are still in the dark – less than 40 per cent can detect if a customer is using a mobile device, and only 17 per cent can determine the type of device. The survey revealed the problem is greater for SMEs: fraud is a threat to all, but larger merchants are better equipped. If merchants don’t know where transactions are coming from, they are unable to know where fraud is coming from and are unable to take the necessary

precautions. Indeed, they tend to consider mobile channels less risky, or as risky as standard channels. One-quarter (24.2 per cent) of respondents felt mobile required specialised fraud tools, but more concerning was that nearly a third of merchants plan to add no additional tools or services to combat mobile channel fraud. Mobile commerce is growing, and with it so is mobile fraud. Yet we have a troubling picture where too many merchants are unable to spot it, never mind fight it. Merchants are enjoying the benefits of mobile commerce. They should also be working to avoid the pitfalls too. 0844 293 9764 www.kount.com

Started by John Hanson in 2009, The Fraud Guy provides informative, anecdotal discussions on fraudulent activity. If you want an informative, in-depth layman’s approach to all areas of fraudulent activity, this is the place to go.

12 · Business Reporter · August 2015

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

INSIDE TRACK

Protecting your business from fraudsters’ tactics

D Fighting the cyber threat from within

o you ever feel like all this talk about cyber-security is being exaggerated and that you don’t need to worry about it that much? Although many people are affected by “it won’t happen to me” syndrome, the fact is that 51 per cent of the UK population has already been a victim of online crime, according to the Get Safe Online survey conducted by the UK government in 2014. Regardless, 47 per cent of Britons don’t consider online crime to be as serious as a physical crime, and only 32 per cent of the victims reported it. Some don’t even realise it is a police matter and that criminals can be sent to jail for online offences. This sort of belief is helping criminals to thrive. If there was ever a boundary between online and physical, this has been dissolved as we are now more connected than ever. The impact of cyber-crime is not virtual either; for the victims – whether individuals, companies or governments – consequences are very real, from losing money to losing jobs, service disruption and lawsuits in between. Without security, digitalisation

may reach a chaotic point when it is unsustainable. People’s general attitude towards cyber-security is the biggest challenge that companies now need to face. If people don’t perceive the threat, they won’t act on it; they are also more likely to interpret any measures to prevent it as inconvenient or a waste of time. Take a real-life example: people lock their doors without complaining this is slowing them down when they want to get in or out. As they recognise the risk of burglary, locking becomes natural. In fact, they would feel uncomfortable not to do it. We should take cyber-security up to this same level. Adversaries are refining their attacks and their ability to evade detection and the security industry is struggling to keep up. The UK government has committed to a £860million investment in cyber-security and private companies are also increasingly investing; it is however very important that this is not done in isolation, led by the few security-savvy leaders and imposed on to the many. There needs to be an effort in educating, training, increasing

awareness. Companies should start fighting the risk from within. As an employer, you can help by openly discussing cyber-security in your boardroom, by being more transparent with your employees and making them aware of the types of attacks your company has already experienced or is exposed to. Illustrate the financial impact you may have and how it affects each employee. Conduct regular training, clarify policies to report incidents and how everyone can prevent everyday threats. This same practice should also be extended to customers. If they understand the challenge and potential impact, they are more likely to be supportive. The change in behaviour won’t happen overnight but until cybersecurity is seen as an enabler and not a hassle, we all need to take action in driving this shift. Terry Greer-King is director of cybersecurity, Cisco UK & Ireland securitymarketing-uki@cisco.com www.cisco.com/uk/security

id you know that fraud costs businesses in the UK more than £5billion a year? This is an eye-watering sum of money and digital innovations in the way we manage our money means we are seeing an increase in attacks using online techniques. It’s not just small firms that should consider the risk of a cyber-attack. So too should large multinational corporations. Worryingly, there appears to be a rise in the number of instances of criminals targeting these bigger companies. Some would argue that criminals are chasing higher returns – more money in an account means more money to steal, and therefore greater profit for the perpetrator. The criminal techniques used to target businesses are sophisticated and ever changing. Vishing – where fraudsters obtain personal details of a victim over the phone – and phishing – when fraudsters access personal details, such as usernames and passwords – remain prevalent. Criminals are also combining these techniques with malware to steal credentials and make

fraudulent payments from business accounts. Companies need to remain vigilant and ensure their staff are aware of the risks, particularly those who have access to the business’s bank accounts. Banks have invested heavily in anti-fraud protection, but criminals will go to significant lengths to convince the customer that they are the bank, the police, or frankly anyone, to ensure that they obtain the information they need to steal their money. Many risks to banks and their clients come from overseas. Therefore we need a robust international law enforcement response to this kind of criminality. A lot of work has been done over the last few years to strengthen controls in banks and create partnerships with public authorities and law enforcement, but we still need to do more. Find out how to protect yourself and your business from fraud by visiting our Know Fraud, No Fraud website at www.bba.org.uk/ landingpage/know-fraud

Business Reporter · August 2015 · 13

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

My view: data that isn’t stored can’t be stolen

n 2014, the UK saw 117 crimes involving the theft of credit or debit card data. This represents a staggering 62 per cent of all breaches in Europe. For telephone payments the numbers are also shocking. A recent US report revealed that phone fraud is up by 30 per cent, possibly due to the rise in e-commerce, which has led to more people calling for help with online purchases. Contact centres are now a big target for fraudsters, with

many handling thousands of payments daily. One report has revealed that a quarter of all data breaches last year came from internal sources – with the sector known for its high employee turnover rate, this is concerning. Ultimately, it’s businesses that will pay the price – research from Semafone found that 86 per cent of consumers would shun a brand that suffered a data breach. For contact centres handling sensitive information, the best way to reduce risk is simply to

avoid storing data. Semafone, the leading provider of secure voice payment software, has patented a method that enables card data to bypass the contact centre and go directly to the bank from a telephone keypad. If the information isn’t stored, seen or heard by anyone, it can’t be stolen. Tim Critchley (left) is CEO of Semafone 0845 543 0822 www.semafone.com

Recent scandals underscore the importance of a speak-up culture

H The golden touch: why effective cyber-security needs a more outgoing approach

o defend themselves against a fraudulent cyber-security attack, organisations need to make sure they know where all their critical data is – not only within their own firm, but also that of their suppliers and partners. All parties need to be educated about what is at risk, and systems need to be built which allow organisations to stop attacks in the first instance. Raj Samani, CTO for Intel Security EMEA and special adviser against cyber-crime to Europol and the European Cyber Crime Centre, has been working with authorities to fight against cyberattacks. He says: “We have this concept called the golden hour. In medical terms, the golden hour – the period within which someone has a medical emergency, such as a heart condition, where they literally have one hour to seek medical care. We have the same analogy in the world of cyber, in that the quicker you have the ability to identify the risk and detect the issue, the smaller the potential impact you may have.” In the Carbanak attack, for example, in which millions of dollars were stolen from banks and private customers, and was discovered in early 2015, Samani explains that there were five critical junctions

where the threat could have been identified and stopped – from the initial inspection and the lateral movements, to the recording of information and the data leaving the network. The Carbanak cyber-gang stole around $250million from banks, with some speculating the figure to be as high as $1billion, by infiltrating financial systems through a “spear phishing” email. The criminals were able to take over the webcams of the infected computers, enabling them to record keystrokes and get an understanding of the way the banks worked. Using this information they would slowly begin extracting money from the bank. Samani explains that attacks such as Carbanak could potentially be prevented if companies used an Advanced Threat Defence system. Such a system detects malware, which can be hard for normal anti-virus systems to do, by running any suspect code in an isolated environment. According to HP Enterprise Security Services, companies should take a three-step approach to guarding against malware, which includes protecting, detecting as well as a structured response plan for what might happen when and if you are breached. This should involve

looking at data from both inside and outside an organisation. “Information is spread across organisations, their partners and supply chains. Often, organisations are not aware of that or the significance of all that data,” says Richard Archdeacon, CTO of strategy and technology at HP Enterprise Security Services. “It is important to understand where the data is. “You have to educate not only your staff, but your customers, your partners and suppliers, so they are not victims of any fraudulent approach that may resolve in a breach in activity. One of the biggest risks going forward is the shortage of resource or capabilities, with which organisations can defend themselves. “Collaboration is critical. We have to look at intelligence sharing around these fraudulent activities, so we can identify actors in advance, to be able to protect ourselves proactively rather than reactively.” HP and Intel are partnering to ensure businesses are protected against threats from all angles. See more at https://youtu.be/ybPLpjtEFtM www.hp.com/go/hpsr

igh-profile corporate scandals cost organisations millions in legal and regulatory costs, as well as causing severe reputational damage. Toshiba’s recent profit overstatement is a prime example. In most of these cases a lack of a speak-up culture is at least partly to blame. Companies need to have clear strategies and tools in place to foster employee trust and emphasise the importance of raising questions and to report misconduct. Those companies who have built an effective speak-up culture generally follow these four key steps: • Develop open lines of communication. Create a culture of openness that encourages employees to report potential problems, and set up an anonymous third-party hosted hotline for whistleblowers. • Conduct ongoing appropriate training and awareness. Train your employees, including your board of directors, to recognise potentially risky situations or suspect behaviour of other employees. Know ahead of time what the options are to raise questions and how to take appropriate action. • Designate a compliance owner. This person should be a well-qualified member of senior management with direct access to the governing body and with reporting responsibility. • Implement written standards and procedures. To ensure that every employee is aware of the company’s compliance culture, the policies and procedures relevant to each function need to be communicated in a manner that is easy to digest, relatable and measurable. By building a robust ethics and compliance programme with strong leadership commitment, organisations can begin building a culture that protects itself from fraudulent activity. Companies should continually benchmark compliance data against peers in their industry. To find out how your own organisation ranks, download our free benchmark reports on Ethics Training, Policy Management and Whistleblowing Hotlines at www.navexglobal.com. These reports give you access to the world’s largest database of ethics and compliance outcomes from thousands of organisations. Daniel Kline (right) is managing director (EMEA & APAC) at NAVEX Global 020 8939 1650 www.navexglobal.com

Business Zone

14 · Business Reporter · August 2015

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

The future

In the battle against fraud, is it the customer who pays?

he fight against fraud will always involve a battle between two protagonists: criminal ingenuity and the innocent bystander. The challenge is to counter the former without negatively impacting the customer experience of the latter. Criminal ingenuity creates a dynamic threat landscape that organisations must contend with. Companies and industries often update defences in response to specific attacks or trends, much like a hasty vaccination campaign after an epidemic. Criminals are ROI-fiends, like legitimate entrepreneurs – if they can use a simpler, less risky scam, they will. Successful frauds are only as time-consuming and sophisticated as criminals need them to be. Good defence inevitably forces the criminal to a different sector, or to different scams against the same target. For example, as retail banks saw sharp declines in counterfeit card fraud when chip and PIN was introduced, they saw simultaneous increases in “card not present” and identity fraud – both further fuelled by recent cyberdata breaches. And as the insurance industry moves towards herd immunity against “cash for crash” frauds, insurers’ personal injury books are suffering. You’ve simply got to keep up with the herd. Very often, someone in another industry has already solved your problem, and secondly, if you’re falling behind other sectors or peers in the defence stakes, you risk becoming the target. As for the customer experience, many businesses increasingly see this as a more important driver than the reduction of fraud losses. Smart organisations know that there is no point in keeping fraudsters out if you’re simultaneously putting off genuine customers in the process. They’ll simply go elsewhere. Research from Zendesk suggests that 39 per cent of customers continue to avoid companies for two or more years after a bad experience. Businesses targeted by fraud need to weigh the long-lasting impact of defence measures on customer service. For a bank, that might mean making sure the login process for online banking is easy enough for customers without sacrificing authentication.

For insurers, the claims process – often used by customers at a time of extreme distress – has to be handled speedily and sensitively. There’s reason for hope. Criminals love return on investment, so bigger, riskier investment will make them look elsewhere. But at the same time, it’s vital that organisations defend and keep the customer, not merely secure the cash. Steve Clark is director, financial crime, BAE Systems Applied Intelligence learn@baesystems.com www.baesystems.com/ai

In focus Intelligence is king: how to win back the 5 per cent of revenue lost to fraud Video special

Delivering a real-time customer experience Consumer behaviour is evolving, driven by tech advancements and the convenience and flexibility digital channels such as web, mobile web and mobile apps offer. See more at http://bit.ly/1MSrNep

usinesses can lose, on average, 5 per cent of revenue each year to fraud, according to new research from the University of Portsmouth’s Centre for Counter Fraud Studies and accountancy firm PKF Littlejohn*. This amounts to a total annual cost of nearly £98.6bn in the UK. Infamous incidents such as Morrisons’ insider fraud in 2014 and T-Mobile’s customer records selling, made the fraud threat extremely real to the UK public and

organisations. As technology becomes more advanced, inevitably fraud schemes are becoming more complex. Hence the question arises: in the face of an ever-evolving crime environment, how do you as a company director fulfil your duty to prevent fraud? There is no need for alarm, but it is imperative to stay aware of trends and implement solutions to help reduce the risk. Consider the experiences of some leading

UK organisations. The Medicines and Healthcare Regulatory Authority (MHRA) and British Telecom (BT) embrace technology fighting crime with systems that record information centrally surrounding fraud and other crime. This is analysed and transformed into meaningful intelligence which allows these organisations to spot trends and connections between incidents to assist in preventing fraud from reoccurring. Alerts are automatically triggered by certain events providing time advantage over perpetrators. Technology and intelligence

become integral parts of the fraud prevention process. But why not take it further? When it comes to intelligence, more is better. Technologysavvy organisations share intelligence quickly between each other via a central database to fight against fraudulent activities. By building a culture of fraud intelligence sharing you can reduce fraud and deliver financial benefits far greater than the cost of inflicted fraud. info@abmsoftware.com www.abmsoftware.com *Jim Gee and Professor Mark Button, The Financial Cost of Fraud 2015

Mobile fraud will increase without adequate defences

obile is the mostused banking channel in 13 of 22 countries and accounts for around 30 per cent of all interactions worldwide. m-commerce has soared to 15 per cent of all merchants, with merchants citing customer convenience as the key driver. Yet mobile fraud is increasing due to the expansion of mobile functionality. For example, of merchants accepting m-commerce payments in 2014, mobile transactions accounted for only 14 per cent of the total transaction volume, but 21 per cent of the volume of fraudulent transactions. This shift towards mobile increases the need for advanced mobile security, yet security executives are faced with building a frictionless environment. The good news is that with InAuth’s market-leading capabilities, mobile devices can be secured. In particular, the InAuth InMobileTM product makes it possible for the customer to do business while protecting against a wide variety of attacks. So what defences are necessary to create a secure mobile architecture and mitigate mobile fraud risk? •P ermanent device identification • Encrypted communications • Application validation • Digital signatures • Anti-replay • Certificate pinning • Deep device location information • Crimeware/malware detection • Advanced rooted/jailbreak detection •A sserted ID from device data including build data, location, application and carrier data • Rules and risk-based analytics InAuth has built all of these capabilities to create the most secure mobile environment possible today, resulting in fraud loss reductions with an ROI as well as invaluable brand protection. Michael Lynch is chief strategy officer at InAuth +1 (855) 801-0774 www.inauth.com

Business Reporter · August 2015 · 15

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

The debate How serious is the fraud problem in 2015?

General manager, email fraud protection, Return Path

Rob Holmes

Director of technology Sapphire

David Lannin

Senior director, financial crime BAE Systems Applied Intelligence

George Robbins

Brad Wiskirchen CEO Kount

President, enterprise security solutions, MasterCard

Email continues to be the leading attack vector used by cybercriminals to defraud victims, with RSA identifying a new phishing attack every minute, and estimating that phishing attacks cost global organisations $4.5billion in losses in 2014. After falling victim to email fraud, the trust your consumers have in your brand will be negatively impacted and this will ultimately affect their buying decisions – with recent studies suggesting 60 per cent of your customers will think about moving and 30 per cent actually will. Phishers can erase years of goodwill in a second by exploiting your brand, but only if you let them. The most forward-thinking CISOs and CIOs understand that securing the email channel needs to be a priority for the business, and with PwC’s latest US cyber-security leadership study stating that cyber-security is now a board oversight issue, now is the time for security professionals to take a proactive approach to email fraud protection.

The cyber-security advice we give to businesses is also relevant to consumers – knowledge and visibility help fight fraud. Knowing who you’re dealing with is vital. If you don’t recall entering a competition or are puzzled why your bank is reconfirming personal information, err on the side of caution. While fraud can be easy to identify with simplistic attempts at deception, sometimes it can be difficult to spot, trying to catch the victim unawares. Like a wolf in sheep’s clothing, it tries to lull us into a false sense of security to extract valuable secrets. How we protect against this unwelcome visitor online is reflected in the real world. Like asking the gas man for ID, ask questions in the digital world too. Use different passwords online as you would have different keys to secure your possessions. Don’t share personal information with strangers. Be vigilant – it will help you recognise the wolf when he comes to knock. If in doubt, press delete or pick up the phone to check.

It will be as serious as it’s ever been, with two key trends underpinning the year – fraudsters’ ability to hide behind business complexity, and the rapidity with which they can change and adapt their behaviour. Unlike corporations, criminals don’t need to build a formal business case or propose lengthy operating model modifications – they can simply discard old techniques and swiftly invent new ones. Indeed, the pace at which fraudsters flex their tactics is only accelerated by that at which people and organisations adopt new technology. A rich hunting ground will be available as more channels – such as mobile and apps – continue to grow. Fraudsters will build on traditional crimes like card fraud, as Chip and PIN developments reduce the opportunity and increase the risk for them. Their portfolio will diversify towards “softer” targets. Tax refund fraud in the US alone, for example, looks set to reach a staggering $21billion by 2016, according to the IRS.

Fraud should be taken even more seriously in 2015 than in 2014. And in 2016 it should be seen as more serious than in 2015. Every year fraudsters use new methods, techniques and tactics to steal from online merchants of every size and vertical industry. No one is immune from these cyber-criminals. It’s getting easier for fraudsters to commit fraud online and more difficult for online merchants to detect and stop fraud every day. With the uptick in data breaches, fraudsters have access to more high-quality data than ever before. They are better networked and organised. They have several software tools designed to “spoof” online merchants and look like legitimate customers. As the market changes and innovation in payments, crossborder sales and mobile commerce options increase, fraudsters will find new and ingenious ways to steal from online retailers. Fraud mitigation is no longer a nice option – it is, and ever will be, a critical part of an online strategy.

The threat of crime for businesses is not new, but managing crime in a new era of digital innovation is. There will be more change in the payment landscape in the next five years than there has been in the past 50. Growth in electronic payments, coupled with the onset of the internet of things (IoT), turning devices into payment tools, has opened up new opportunities for criminals and made managing threats more complex. While payments have never been safer, criminals have also never been smarter. Cyber-crime is a very serious threat and businesses require a multi-layered approach to safety and security in order to effectively manage the rapid change in consumer behaviour. The good news is that the technology already exists to manage the threat, but businesses need to adapt quickly in order to stay one step ahead. Businesses that don’t run the risk of incurring both a financial and reputational cost that fraud invariably brings.

+44 (0)20 7034 5467 returnpath.com/stopemailfraud

0845 58 27001 DavidL@sapphire.net

www.baesystems.com/ai

www.kount.com

www.mastercard.com

ach firm within the UK regulated financial services sector is required to appoint a money-laundering reporting officer (MLRO), who is the focal point for a firm’s adherence to anti-money laundering and terrorist financing regulations. An MLRO must consider internal disclosures of suspected money-laundering or terrorist financing, decide whether there are sufficient grounds for suspicion to pass disclosures to the National Crime Agency (NCA), and liaise with it to deal with such matters as consent to proceed with a transaction and other disclosure issues. The stakes for MLROs considered to have underperformed are high. A criminal offence of “reckless mismanagement” has been introduced, which has already led to fines and imprisonment. The authorities do not need to prove money-laundering has taken place, just that the controls were not sufficient to prevent it. With all this responsibility, do they sleep well at night? Here are the five main areas where we regularly see our clients’ MLROs turn to us rather than that bottle of sleeping pills… 1. The regulations allow for a two-year jail sentence to be imposed on an MLRO if the firm is found negligent in its AML procedures. The fact that the MLRO holds ultimate responsibility for the mistakes of others is a stressful burden. The MLRO also has FCA obligations to abide by in addition to the legislation.

Spotlight What keeps MLROs awake at night? 2. Compliance is very much at the forefront in banking, but there are still firms that are reluctant to make the necessary spend. A lack of quality resources can add pressure to the MLRO’s workload. 3. Interpreting the guidelines in the financial crime sphere can be a headache, as different firms use various standards for KYC/AML compliance, which can often lead to confusion. The MLRO needs to keep abreast of standards and changes while juggling the role. 4. In smaller firms and branches of foreign banks in the UK, the MLRO can wear many hats. This impacts the time available to spend on financial crime issues, and quality may be compromised. For foreign banks in the UK the MLRO needs to also understand cross-jurisdictional issues, become familiar with overseas laws/

Ajay Bhalla

guidelines, and ensure the UK entity follows UK rules, often despite pressure from the overseas parent company. 5. Effective reporting between board, business and compliance is key. However, many firms either have too many systems that do not provide effective reporting, or have no system at all. The MLRO is becoming an internal arm of external law enforcement. While most if not all MLROs are highly motivated to keep the financial system clean, the increasing level of personal criminal liability is becoming a deterrent to taking that job. dan.berner@lysisfinancial.com www.lysisfinancial.com